Monday, October 6, 2014

Fixing the BASH Shellshock vulnerability on OSX 10.5.8 and 10.6.8

Apple released a BASH update that addresses the vulnerabilities of ShellShock but they neglected operating systens older than 10.7 Lion.

Well, I happen to know people who are running various 10.5.8 and 10.6.8 Snow Leopard machines in production. They are used in automation and rely heavily on BASH. Thus, I upgraded over a dozen legacy Mac OSX Servers and it was pretty straightforward.

You will need to download the latest Xcode for each respective OS.
The only gotcha as 10.5.8 and cURL. 10.5.8's built in cURL does not support SSL so you will need to add a -k (insecure SSL) flag in the instructions.

That is it. For 10.5, add the -k flag for each cURL request you download from Apple's servers.

Once finish, you should be able to address all of these vulnerabilities:

CVE-2014-6271

CVE-2014-7169

CVE-2014-6277

CVE-2014-6278

CVE-2014-7186

CVE-2014-7187

Bash should be updated to 3.2.55(1)

Once you are patched, it is time to test.

You can go to shellshocker.net and download a bash script that run through all the vulnerabilities.

Or run it from the shell via cURL.

curl https://shellshocker.net/shellshock_test.sh | bash

I hope this helps.

Once you compile it, you can easily tar the files up and use it for re-distribution to similar machines. I only had to compile BASH twice (one for 10.5 and one for 10.6). I then took my Releasebuild binaries and rsync them across various OSX machines from my iPad.

I tested it extensively on some VMs and then to production servers. I was a bit worried about going the homebrew route as that method will install newer 4.3. That is a major generational change and there would be some major breakage somewhere. Thus, sticking with a 3.2.XX version of BASH with all the updates will be the most painless. I have OS X servers running MailMan listservs, some are used for production automation that runs rsynch, mounting NFS shares, CalDAV, and the likes. So far, nothing has broken.